In a file sharing system in which the user uploads a file onto a server and in which the file is shared by a plurality of users, the following three methods (1) to (3) are used to keep the file secret from the server.
(1) An individual key system for encrypting a file by means of individual encryption keys for respective users.
(2) A common key system for encrypting a file by means of an encryption key common to the users.
(3) A re-encryption system for encrypting a file using a proxy re-encryption system.
In the systems (1) to (3), a user A is assumed to upload a file onto a server, and the user A is assumed to share the file with users B and C.
In the individual key system (1), each user has a pair of a private key and public key, which varies among the users. The user A encrypts a file by means of a public key of the user B (which is an individual encryption key for the user B), and uploads the encrypted file onto the server. Likewise, the user A encrypts a file by means of a public key of the user C (which is an individual encryption key for the user C), and uploads the encrypted file onto the server. That is, the user A encrypts a file individually for the users who share that file.
In the common key system (2), each user shares a pair of a private key and a public key, which is common to the users. The user A encrypts a file by means of a public key (which is an encryption key common to the users), and uploads the encrypted file onto the server. The users share an identical private key.
In the proxy re-encryption system (3), each user has a pair of a private key and public key, which varies among the users like in the individual key system (1). However, unlike in the individual key system (1), the user A may encrypt a file by means of a public key (to be referred to as a group public key hereinafter) of an entity (to be referred to as a group administrator hereinafter) who manages a group of users. The server uses a re-encryption key to re-encrypt an encrypted file (uploaded by the user A) to an encrypted file which can be decrypted only by each user. Details of the proxy re-encryption system will be described later.
In the individual key system (1), to share a file also with a new user D, the user A disadvantageously needs to encrypt a file using a public key of the user D (which is an individual encryption key of the user D) and to upload the encrypted file onto the server. Therefore, the system (1) is not suitable for the file sharing system because troublesome processing is needed when a new user is to be added if the system involves a large number of new users or files to be shared.
In the common key system (2), when, at a certain timing, a certain user (for whom file sharing has been permitted until that timing) is inhibited from sharing files, an additional separate mechanism is disadvantageously needed which updates the private key and the public key common to the users. Furthermore, if the private key common to the users leaks for some reason, all encrypted files can disadvantageously be decrypted (by any person who acquires the leaked private key). For this reason, the common key system (2) is not suitable for the file sharing system.
On the other hand, in the proxy re-encryption system (3), since the server uses a re-encryption key to re-encrypt one ciphertext to a ciphertext which can be decrypted only by each user, a configuration which does not notify the users of the re-encryption key is adopted to solve the aforementioned problems. For this reason, the proxy re-encryption system (3) is suitable for the file sharing system.
According to R. Hayashi, T. Matsushita, T. Yoshida, Y. Fujii, and K. Okada, “Unforgeability of Re-Encryption Keys against Collusion Attack in Proxy Re-Encryption,” In Proc. IWSEC 2011, LNCS 7038, pp. 210-229, Springer-Verlag, 2011. (hereinafter referred to as Patent Literature 1), and T. Isshiki, N. Manh Ha, and K. Tanaka, “Attacks to the Proxy Re-Encryption Schemes from IWSEC2011,” In Proc. IWSEC 2013, LNCS 8231, pp. 290-302, 2013 (hereinafter referred to as Patent Literature 2), in the proxy re-encryption system described in Patent Literature 1, even when the server and one user collude, a decryption right is hindered from being re-delegated without permission from a transfer source. However, no system is disclosed which also enables the security to be achieved when two or more users collude with the server.
An object of the embodiments is to provide a re-encryption key generator, re-encryption apparatus, a decryption apparatus, and a storage medium which enables the decryption right to be hindered from being re-delegated without permission from a transfer source even when the server colludes with a plurality of users.